Christian: >>> >>> Thanks. I am not 100% sure that we actually have an attack against the >>> [EC]DH+PSK combination, but I am confident than if the PSK secret is weak, >>> the attacker can get to the early data. If only for that, it is prudent to >>> use long enough PSK. >> As stated in draft-ietf-tls-8773bis, some people are interested in using the >> external PSK with a certificate to protect against the future invention of a >> Cryptographically Relevant Quantum Computer (CRQC). Others want to use of a >> public key with a factory-provisioned secret value for the initial >> enrollment of a device in an enterprise network (for example >> draft-ietf-emu-bootstrapped-tls). >> For the security consideration, I suggest an additional paragraph: >> Implementations must use sufficiently large external PSKs. For >> protection >> against the future invention of a CRQC, the external PSK needs to be >> at >> least 256 bits. >> Does that resolve your concern? > > Yes.
I think there is a companion point to be made. I suggest: Implementations must use a ciphersuite that includes a symmetric encryption algorithm with sufficiently large keys. For protection against the future invention of a CRQC, the symmetric key needs to be at least 256 bits. Implementations must use sufficiently large external PSKs. For protection against the future invention of a CRQC, the external PSK needs to be at least 256 bits. Russ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls